As organizations continue to expand their global networks by collaborating and communicating with employees and customers around the world, more and more sensitive data is being created and transferred across the internet by the day. Whether it’s customer’s personal information, health records, or patented company technology, it’s pivotal that private records are protected from all leaks, malicious or otherwise. Enter data loss protection, or DLP. DLP consists of tools and procedures that are deployed across the data lifecycle to prevent malicious exfiltration. While strong DLP products exist in the market, there’s more to data protection than just the right softwares.
Data Taxonomy: What’s It All About?
One key component of DLP is data taxonomy. In the study of biology taxonomy refers to naming, defining, and grouping organisms by similarities across a variety of criteria. So, how does this relate to effective data loss protection? Well, like science, creating a robust, repeatable, and well-structured classification system for your organization’s data allows you to easily identify, evaluate, and proactively protect secure information. Fundamentally, not all data is created equal. Certain documents, like those containing bank account details or social security numbers, stand to cause more damage to a company if leaked than something like an unused marketing presentation, or a memo about travel reimbursement policies. Let’s take a look at creating a taxonomy to classify our sensitive information.
The Basics of Data Classification
When it comes to categorizing data a few simple questions can help you quickly understand and evaluate your data taxonomy requirements:
- Who is responsible for data management?
- What proprietary data does your company produce?
- How sensitive is your data?
- What information is your company collecting from your customers?
Asking these basic questions- the who, what, where and why of data classification- should start to make clear where your immediate concern areas are, what information is the most valuable, and where you should be allocating your resources. From here, we can go about setting up our classification system. Most companies follow a similar format, with delineations between public, internal use, and restricted data.
- Public Data: Readily accessible information made for public dissemination. No legal or reputational risk if the data is leaked. Examples include press releases, job titles, and marketing materials.
- Internal Use: Information safe to be circulated within an organization, but not intended for public viewing. Moderate risk of legal or financial ramifications if information is leaked. Examples include employee emails, organization wide communications, work related documents without personal information, and shareholder documents.
- Restricted Data: Confidential information for select viewing by specific members of an organization. Catastrophic legal or financial damages if information leaks to the public. Also the most valuable data for potential thieves! Examples include employee Social Security numbers, customer information, financial records, and healthcare records.
Sorting organizational data into these three buckets is a good first step when it comes to building out a comprehensive data classification system. Once you understand and identify your organization’s specific DLP needs you can set up processes and policies that keep your information safe. Restricted data will be subject to the most security measures, whether it’s limiting access to those files to on a local company network, implementing two factor authentication, or granting conditional access based on designation. Meanwhile, public use information doesn’t need to be subject to the same scrutiny. This isn’t to say you should fail to adequately protect your information, but more expensive or time intensive resources should be allocated to more sensitive data.
Methods of Data Classification
In general there are two ways to classify data: manually or automated. Manual data classification is relatively straightforward and involves employees designating sensitivity levels based on the DLP policies you have in place. A major pro of manual data classification is it has arguably the highest accuracy. If the person evaluating the data is capable and follows protocols every piece of data should end up in exactly the risk level it needs to be. The big drawback of manual data classification is that it’s time intensive, and as companies continue to produce more and more digital information the task only expands.
Automated data classification can occur in two ways.
- Content-based: Information is scraped from the data and evaluated against a set of criteria. For instance, any number in the document will be checked against a SSN or driver’s license format. If it matches the criteria for what qualifies as sensitive information it will be screened and sorted accordingly.
- Context-based: Data is categorized based on the circumstances surrounding it. For example, all information on finance or HR employees’ systems might be automatically flagged as restricted use data. Physical location based screening is another prime example.
Classifying your data accurately might require a mix of manual and automated sorting, balancing the speed and efficiency of programmed algorithms with the savvy and nuance of a knowledgeable employee.
Tailoring DLP Policies for Protection and Performance
Now that we’ve established a streamlined, multifaceted data classification system we can begin to put it to use enabling our organization-wide DLP strategies. Fundamentally, DLP cannot exist without data classification. There’s too much information of too many different sensitivity levels to simply allow access to all information equally. Depending on the contents of the data we can make the authentication process simple or more stringent in order to protect company information.
Conditional access depending on department is one way to ensure only the right people are able to get their hands on certain data. HR team members will handle more restricted level data than other departments, and should have that factored into their login credentials. Geo-restricting sensitive data to certain locations, like on company networks, can also limit risk of leakages or unauthorized access.
How Venn Keeps Sensitive Data Safe
DLP is made easy with Venn, the secure workspace that isolates and protects work from any personal use on the same computer. Venn keeps data secure by allowing different levels of access based on endpoint safety through continual compliance assessment. Once endpoint security checks are passed and two factor authentication information is entered the user can work in Venn’s LocalZone™, the smart, secure perimeter that protects local work apps, files, and data and keeps them safe from personal computing. The LocalZone™ uses local computer resources and secures data with its bright blue border and badge, sacrificing neither speed nor security. If the endpoint checks are failed, Venn will run in a hosted environment, protecting company information. This conditional access, coupled with auditable screen sharing and capture approval, clipboard controls, and download/upload restrictions are all part of how Venn enables high quality DLP.
Book a crisp demo with us today and learn about how we can help you keep your organization’s data safe.